Capturing a few million network packets is pretty easy. Then comes the challenge of finding the problem. Here we look at two techniques to inject markers into a trace at the moment a problem occurs.
Investigating an intermittent problem is quite challenging. We have seen in earlier blogs that it's possible to run long-term captures with a tool such as dumpcap, or using any one of the high capacity capture units that you may have in your estate. We can then use a tool like Wizz to pull out the traffic for a single user, but that may still leave us with several million packets.
What we need is a signpost; some sort of indication that shows where the problem occured. One way to make life easier is to inject a marker into the trace just after the user has experienced the problem. The marker needs to be distinctive so that we can search for it and in an enterprise environment we need to be able to do this using what we already have on the desktop.
A very simple way to generate a marker is to use a ping with a distinctive length ...